@def $LOCKSS_NET = ({{ lockss_network_ips | join(" ") }});
@def $MGMT_NET = ({{ lockss_admin_ips | join(" ") }});
@def $LOCKSS_CONFIG_PORTS = (
    24640 24641                            # metadata-extraction-service
    24602                                  # postgres
    24650 24651                            # metadata-service
    24610                                  # repository-service
    24600 24606 24620 24621                # configuration-service
    24630 24631 24670 24672 24674 24680    # poller
    24681                                  # pywb
    24603                                  # solr
);
@def $LOCKSS_NET_PORTS = (
    9729    # poller
);

domain (ip ip6) table filter chain DOCKER-USER {
    # Incoming traffic bound for a docker service will come in to the FORWARD
    # chain and exit on docker_gwbridge.
    outerface docker_gwbridge {
        # The destination ports here are the ports listening inside the
        # container. These may differ from those on the host.

        saddr $LOCKSS_NET proto tcp dport $LOCKSS_NET_PORTS ACCEPT;
        saddr $MGMT_NET proto tcp dport $LOCKSS_CONFIG_PORTS ACCEPT;
    }
}